CVE-2024-1092 in RSS Aggregator Plugin
Summary
by MITRE • 02/06/2024
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-1092 affects the RSS Aggregator by Feedzy plugin for WordPress, a widely used tool for aggregating various types of feeds including news and YouTube content. This plugin enables users to automatically create posts from external feeds, making it a critical component in many content management workflows. The vulnerability resides within the feedzy dashboard functionality and represents a significant security weakness that could be exploited by malicious actors within the WordPress environment. The issue impacts all versions of the plugin up to and including version 4.4.1, indicating that a substantial user base may be at risk from this particular flaw.
The core technical flaw stems from a missing capability check within the feedzy dashboard implementation. This oversight allows authenticated users with contributor-level privileges or higher to perform unauthorized data modification operations on feed categories. Specifically, attackers can create, edit, or delete feed categories that they themselves have created, bypassing the proper access controls that should normally restrict such operations. The vulnerability essentially undermines the principle of least privilege by failing to verify whether the authenticated user has appropriate permissions to modify the specific resources they are attempting to manipulate. This missing validation represents a classic access control flaw that aligns with CWE-285, which addresses insufficient authorization within software systems.
The operational impact of this vulnerability extends beyond simple data modification capabilities and could potentially disrupt content management workflows and compromise data integrity within WordPress installations. An attacker with contributor access or higher could manipulate the feed category structure to redirect content aggregation, potentially causing posts to be generated from unintended sources or to be categorized incorrectly. This could lead to information disclosure, content manipulation, and disruption of legitimate content creation processes. The vulnerability is particularly concerning because it allows attackers to modify the very infrastructure that supports automated content generation, potentially enabling more sophisticated attacks such as content poisoning or the creation of misleading categories that could affect other users within the same WordPress environment.
From a threat modeling perspective, this vulnerability maps to several ATT&CK techniques including T1078 Valid Accounts and T1566 Phishing, as attackers could leverage contributor-level access to escalate their privileges within the feed management system. The vulnerability also relates to T1213 Data from Information Repositories, as it allows unauthorized modification of repository structures. Organizations should implement immediate mitigations including updating to the patched version of the plugin, reviewing user permissions to ensure appropriate access controls, and monitoring for unauthorized modifications to feed categories. The recommended remediation strategy involves applying the latest plugin updates from the vendor, implementing role-based access controls, and conducting regular security audits of WordPress plugins to identify similar authorization flaws. Additionally, organizations should consider implementing network segmentation and monitoring solutions to detect anomalous behavior patterns that might indicate exploitation attempts.